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ABSTRACT 



A distributed authentication service that automates an 
authentication exchange between a user and an appHcation 
program of a distributed network system. The novel distrib- 
uted authentication service comprises an exchange control- 
ler coupled to an authentication database containing a group 
of encrypted application secrets associated with the user. 
Each application secret is, in turn, associated with a par- 
ticular program resident in the system. According to the 
present invention, the controller cooperates with the data- 
base to automate the exchange procedure by (i) receiving an 
authentication inquiry generated by the particular program 
in response to the user's request to access that program and 
(ii) providing that program with the proper application secret 
retrieved from the database. The group of encrypted appli- 
cation secrets associated with the user is referred to as a 
"keychain." Each keychain is assigned a public/private key 
pair, with all secrets in the keychain being encrypted with 
the public key. The user may be associated with one or more 
keychains, each of which may be further associated with 
different secrets. Since these secrets correspond to appHca- 
tion programs, the association of programs to keychains may 
be based upon various characteristics, such as the user's 
rights with respect to the programs. Furthermore, each 
appHcation program may be accessible by the same or 
different users so that, e.g., those users having the same 
access rights for a program may utilize the same keychain 
containing each user's secrets for the programs. 

20 Claims, 6 Drawing Sheets 
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SYSTEM AND METHOD FOR 
AUTOMICALLY AUTHENTICATING A USER 
IN A DISTRIBUTED NETWORK SYSTEM 

FIELD OF THE INVENTION 

The present invention relates generally to public key 
cryptography in distributed data processing systems and 
more specifically, to a means for transparently authenticat- 
ing a user to multiple services and applications in a distrib- 
uted system. 

BACKGROUND OF THE INVENTION 

In a distributed data processing network system, the 
methodology employed to reliably verify the identity of a 
communicating device across the network prior to allowing 
the device to access system operations and resources is 
referred to as authentication. Access to the system may be, 
for example, for the purpose of communicating with other 
users, retrieving secure information, or receiving a service. 
Distributed systems generally include various computer 
nodes interconnected by a communications medium. The 
computer nodes may include nodes that are directly accessed 
by users, e.g., workstations, and nodes running specialized 
applications, e.g., servers. These nodes, the processes run- 
ning on these nodes, and the users of the distributed system 
are referred to as "principals." The authentication exchange 
is performed on behalf of the principals. 

Public key cryptography is a method of secure commu- 
nication in which each principal has a public encryption key 
and a private encryption key, and two principals can com- 
municate knowing only each other's pubUc keys. An encryp- 
tion key is a code or number which, when taken together 
with an encryption algorithm, defines a unique transforma- 
tion used to encrypt or decrypt data. A public key system 
may be used in such a way as to ensure confidentiality of the 
information being transmitted, i.e., to ensure that the infor- 
mation may not be understood by an eavesdropper, as well 
as to ensure the authenticity of the sender of the information. 

The manner in which a public key cryptography system 
operates to ensure authentication may be understood without 
reference to the mathematical transformations that are used 
for encryption and decryption. Public key cryptography is 
also referred to as a "asymmetric" encryption because 
information encoded with a public key may be decoded only 
by using a complementary private key, the associated public 
and private keys defining a key pair. According to this type 
of encryption, the private key is known only to the owner of 
the key, while the public key is known to other principals in 
the system. 

Accordingly, to effect a secure transmission of informa- 
tion to a recipient, a principal encodes ("encrypts") the 
information with the recipient's public key. Since only the 
intended recipient has the complementary private key, only 
that principal can decode ("decrypt") it. On the other hand, 
to prove to a recipient of information that the sender is who 
he purports to be, the sender encodes ("signs") the infor- 
mation with its private key. If the recipient can decode 
("verify") the information, it knows that the sender has 
correctly identified itself. In public key cryptography, each 
principal is responsible for knowing its own private key and 
all the public keys are generally accessible from one 
location, typically a directory service. 

Operation of a public key cryptography system will now 
be described with reference to an illustrative log in authen- 
tication exchange between a work station, acting on behalf 
of a user, and a remote server. Basically, the workstation 
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encrypts a message for confidentiality by performing a 
transformation using the server's public key, and a server 
decrypts the message by performing a transformation using 
its private key. 

5 Specifically, a user logs into the workstation with the 
user's password and the workstation derives a secret, non- 
complimentary, encryption key by applying a known hash 
algorithm to the password. The workstation then requests the 
user's private key from a directory service (DS) of the 

10 remote server. The user's private key has previously been 
encrypted under the same secret encryption key and stored 
as a "credential" of the directory. A credential is a table entry 
comprising the user's name and the user's private key; in 
other words the credential is a representation of the user in 

15 the computer. The remote server returns the encrypted 
private key to the workstation, which uses the secret key to 
encrypt and obtain the private key. 

Once the user is authenticated by the directory services on 
the network, and is then given access to the network, the user 
attempts to access either network-based services or appli- 
cations. For example, the user may attempt to log into a 
different network or access a different operating system 
(e.g., accessing a DCE-based Unix server) or access appli- 
cations such as Lotus Notes or Novell Group Wise. 
Generally, each of these entities includes a component 
referred to as an authentication agent that maintains the 
user's identity (ID) and secrets (e.g., passwords). Although 
the user has been authenticated on the network, authentica- 
tion agents generally are not aware of the network 
authentication, and thus query the user for its password. This 
can consume considerable bandwidth and can be quite 
intrusive to the user, particularly in systems requiring users 
to be authenticated whenever a resoiuce is accessed. 

Some conventional systems attempt to reduce the number 
of authenticatioris a user must perform. For example, the 
Macintosh operating system, available from Apple 
Computer, Inc., provides what is referred to as a "keychain." 
Here, the operating system enables a user to manually enter 
all of its passwords on a single keychain that resides within 
the operating system. A keychain password is then used by 
the user to gain access and run all of the network services at 
the time the workstation is booted. 

One drawback to this approach is that there is only one 

45 keychain per operating system (i.e., per workstation), 
thereby limiting the availability of a user's keychain to 
solely the single workstation. In other words, the localized 
nature of the keychain prevents the user from utilizing other 
workstations or systems throughout the distributed network 

5Q system. Additionally, the use of a single keychain provides 
a single level of access control to all application programs in 
the system for a given workstation; that is, different access 
rights cannot be associated with different programs for a 
user 

55 Another drawback to the "Macintosh" Keychain approach 
is that it only stores xiser names and passwords for network- 
based services, as opposed to application programs. That is, 
although single password access is provided to all services, 
a user must continue to authenticate itself to each program 

50 that is accessed. 

An alternate approach to reducing the number of authen- 
tications performed by a user is provided by the Windows 95 
(Win95) operating system available from Microsoft Corpo- 
ration. Win95 provides a method of allowing users to enter 

65 only one password (at start-up time) when logging into the 
network. A drawback of this approach is that, like the 
Macintosh keychain technique, the service is only available 
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on each local workstation as part of its operating system, and for decrypting that secret. The workstation API then 

is not available on the network in a distributed form. decrypts and forwards the proper secret (and user identity) 

More troubling, however, is that the service does not to the particular application program, 
allow passwords of choice for application programs or Advantageously, authentication of a valid network client 
network logins, thus requiring all services accessed by the 5 is performed automatically by the distributed authentication 
workstation to synchronize their passwords with the Win95 service for all desired local or network-based applications in 
password for that platform. Security concerns arise when a the user*s associated keychains. That is, authentication is 
user assigns the same value to all of its passwords. Under performed transparently (without any further user 
such circumstances, the user's rights to all applications, intervention) and without degradation of network security, 
rather than to just a single system, are given away if the Thus, a valid network client docs not have to authenticate 
password is compromised. This may further compromise itself each time it attempts to access an application program, 
portions of the network system as well as the confidentiality Furthermore, the distributed nature of the authentication 
of the user's information. service provides the user with access to application pro- 
It can thus be seen from the foregoing that each of the grams from any connected workstation in the distributed 
conventional approaches to simplifying the authentication network. In other words, the inventive service is available 
process have limited capabilities and flexibility. What is throughout the entire network rather than being localized on 
needed, therefore, is a means for easily and efiSciently an individual workstation. The authentication service is also 
authenticating a user to various application programs or available to all applications and services alike, and is not 
systems in a distributed network without compromising the limited to network-based applications, 
security of the network or the confidentiality of the users* flexible association of users, keychains and applica- 
information. tion secrets enables each user to have its own unique user 

identity and application secret for every application on the 

SUMMARY OF THE INVENTION network. Thus, knowledge of one application secret does not 

The present invention relates to a distributed authentica- ^5 compromise the security of aU remaining application secrets 

tion service that automates an authentication exchange associated with the user. 

between a user and an application program of a distributed Further features and advantages of the present invention 

network system. The novel distributed authentication ser- as well as the structure and operation of various embodi- 

vice comprises an exchange controller coupled to an authen- ments of the present invention are described in detail below 

tication database containing a group of encrypted applica- with reference to the accompanying drawings. In the 

tion secrets associated with the user. Each application secret drawings, like reference numbers indicate identical or func- 

is, in turn, associated with a particular program resident in tionally similar elements. Additionally, the left-most digit of 

the system. According to the present invention, the control- a reference number identifies the drawing in which the 

ler cooperates with the database to automate the exchange reference number first appears, 

procedure by (i) receiving an authentication inquiry gener- 35 nPQruTPTrnM hp thf nR awimhs 

ated by the particular program in response to the user's BRIEF DESCRIPTION OF THE DRAWINGS 

request to access that program and (ii) providing that pro- p^^. ^ ^^^j. understanding of the nature of the invention, 

gram with the proper application secret retrieved from the reference should be made to the following detailed descrip- 

dalabase. tion taken in connection with the accompanying drawings. 

The group of encrypted application secrets associated 40 in which: 

with the user is referred to as a "keychain." Each keychain pjQ 1 is a diagram of a distributed data processing 

is assigned a public/private key pair, with all secrets in the network system in which the apparams and protocol of the 

keychain being encrypted with the public key. The user may invention may be used* 

be associated with one or more keychains, each of which ^ is an exemplary embodiment of an authentication 

may be further associated with different secrets. Since these 45 ^t including a woricstation node, a key generator 

secrets correspond to application programs the association .j^^) ^ certificate authority (CA), a certificate storage 

of programs to keychains may be based upon various ^ ^ revocation service (RS) node in 

charactenstics, such as the user s nghts with respect to the ^^^^^^^^ ^^^.^ ^^e invention; 

programs. Furthermore, each apphcation program may be , . . l. 1 j- *■ *u 

accessible by the same or different users so that, e.g., those 50 F'^' a schematized block digram of the secure 

users having the same access rights for a program may authentication database residing on network directory ser- 

Utilize the same keychain containing each user's secrets for vices; 

the programs FIGS, 4A and 4B are a flowchart of the functions per- 

In the illustrative embodiment, the exchange controller formed by a workstation applications program interface 

comprises an application program interface (API) that is 55 (API) of Present invention; and 

distributed among user workstations (i.e., workstation APIs) FIG. 5 is a flowchart of the functions performed by a 

and the authentication database (i.e., the database API) ; database API of the present invention, 

preferably, both the database API and authentication data- DETAILED DESCRIPTION OF THE 

base reside m a network directory services (NDS) system. PREFERRED EMBODIMENTS 

When the authentication inquiry is received from the pro- 60 

gram at the controUer, the workstation API verifies that the Referring to FIG. 1, a distributed data processing network 
user is a valid network client (i.e., has successfully logged- system 100 includes a plurality of computer nodes, such as 
on and has been authenticated to the NDS) by requesting the user nodes I02a-n and various server nodes 104a-rt, inter- 
proper application secret for that particular program. In connected by a communications medium 106. The user 
response to this request, the database API accesses the 65 node, e.g., a workstation 102a, is a computer generally 
authentication database and provides the workstation with configured for use by one user at a time, whereas each server 
an encrypted application secret along with the private key 104 is a computer resource running specialized software 
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applications and services, typically for use by many users. In API and authentication database reside in a network direc- 

general, each of the computer nodes includes memory lory services (NDS) system. 

means 108 for storing software programs and data structures j^^ authentication database 204 is preferably a novel 

associated with the cryptographic methods and techniques secure database containing groups of application secrets for 

described herein. In addition, the nodes further include 5 predetermined application programs. Each group of appli- 

processor means 110 for executing the software programs ^^^.^^ ^^^^^^^ ^^^^^^^ ^ ^ ^ "keychain", is assigned a 

including various algorithms for generatmg numbers and ^blic/private key pair by the KG 218 when the kcychain is 

codes associated with, e.g., passwords, and for manipu aling ^^^^^^ ^^^^^^ 204 also contains user objects which 

the stored data structures. It will be apparent to those skilled ^^.^^^ ^ . ^.^^ keychains. The 

in the art that other processor and memory means, such as ^^t^base API 206 manages the authentication database 204 

encoding and decoding devices, may be used withm the ^ espouse to queries generated by workstation API 214. 

teachings of the invention to implement cryptographic jui 1 f.u 

.... ... J, u ^o^^,,t^/h iJr^;« FIG. 3 is a schematized block diagram of the authentica- 

aulhenucalion methods and techmques described be rem. . 7^*, ^iXA c.i. . • -ru a t u r^^nM 

i7 L . 1 inn .11 Uon database 204 of the present invention. The database 204 

To access resources of the network 100, a user typically ^^^^ .^^ ^^^^^ ^^.^^^^ ^^^^ ^^^^^^^ configured 

"logs in" with a server node 104 configured as a directory 15 ^^^j,,^^ , user object 302, one or more keychain objects 

service (DS) through the local works^Uon 102^, and then ^^^j^ ^^.^^^^ ^ 

remotely aulhenhcates itself to the DS to acquire access to ^^^^ ^^^^ ^ ^^^^^^^ 

those resources. SpecificaUy, the user provides an authorized ^ ^^ ^^^^ ^^^^ ^^^^^^ ^ ^^^^^^ 

user Identity (e.g., a user ^^^"^1"^^^^%^]^^^^^^ attributes in accordance with the present invention as 

password) to an mput/output device 112 of the workstation 20 . ^ kpIow 

102« and the workstation authenticates the log-in attempt * -u . r u- * 

using a log-in authentication exchange with the DS. Once <^very valid network user, the attnbutes of user object 

authenticated, the user receives its private key. which the ^02 mchide a logm pubhc/pnvate key pair and a secret (e.g 

workstation 102a uses in subsequent authentication the hash of the pa^word) ^ user o^^^^^ 

exchanges with remote principals, such as server nodes 104. 25 ^^'^""j authenticate the Jiser when the user 

As noted, these subsequent authentication exchanges con- ^ogs on to the network. An apphcation object 306 mcludes, 

sume considerable bandwidth and are burdensome to the ^r an associated apphcabon program, a program name, a 

user when accessing resources that require authentication. ^^^^ that have authonty to access the program, and 

The present invention is directed to an arrangement for a° apphcation program idenUfier ( D). Th^ Program name 

easily and efficiently authenticating a user to various appli- 30 ^ ^^^^^^ descriptive term that idennfies the 

cation programs or systems in a distributed network without apphcaUon program. 

compromising the security of the network or the confiden- The ID is a unique character string typicaUy supplied by 

tiality of the user's information. the application manufacturer that identifies the apphcation 

An illustrative embodiment of an authentication arrange- program. However, the present invention reserves a pre- 

ment 200 of the present invention is shown in FIG. 2. The 35 assigned range of IDs for pro@-ams that have no IDs 

arrangement includes server nodes 202, a workstation node assigned to them by their manufacturer. In the preferred 

210, a key generator (KG) server 218 and a certification embodiment of the present invention, the ID is an ASN.l 

authority (CA) 220. In general, the workstation node 210 (abstract syntax notation; a CCITT/ISO standard) comphant 

provides an interface to a user when accessing speciaUzed identifier defined as a "Free Form Identifier." However, as 

applications executing on the server nodes 202. The KG 218 40 those skilled in the art would find apparent, the ID may take 

is an example of a specialized server apphcation used to on other forms appropriate for the apphcable network envi- 

register a user in the distributed system 200 by creating an ronment. 

account that includes the user's identity and secret Keychain objects, or simply "keychains", are associated 
(password). The KG 218 also creates a private/public key with one or more application objects based upon character- 
pair for aspects of the present invention described below 45 istics of the application programs. As noted, a keychain has 
and, thus, must operate in a trustworthy fashion. That is, the as attributes at least one application secret and a public/ 
KG must choose private/pubhc key pairs at random and private key pair. The application secret contains data used by 
must either generate or accept from the users the keys or the the particular program to authenticate the user. Apphcation 
passwords used to encrypt or decrypt data. Further, in most secrets may be grouped according to, e.g., the access control 
implementations, the KG must rehably communicate the 50 level (ACL) for each apphcation program. For example, a 
generated public key to certification authority 220, so that group of applications on one keychain may require admin- 
the CA (e.g., another specialized server application) may istrative rights for modification, while another group of 
cryptographically bind the public key and the user name in applications on a different kcychain may allow user modi- 
a signed "certificate". Then the certificate and the private fications. In the illustrative embodiment, the apphcation 
key will be returned to the directory service to be saved with 55 secret is the user's password for that program; however, it 
user information. will be understood by those skilled in the art that the secret 
In accordance with the invention, the workstation and may be any type of secure identification mechanism. The 
server nodes may be configured as a distributed authentica- W pair encrypts/decrypts the application secrets associated 
tion service 201 that automates an authentication exchange with a keychain object. 

between a user interface 112 200. The novel distributed 60 As noted, in the illustrative embodiment, the exchange 

service 201 comprises an exchange controller 207 coupled controller 207 comprises an API that is distributed among 

to an authentication database 204 containing a group of user workstations (i.e., workstation APIs 214) and the 

encrypted application secrets associated with the user. The authentication database (i.e., the database API 206). A 

controller 207, in turn, comprises an apphcation program particular program, e.g., program 236, issues an authentica- 

interface (API) that is distributed among user workstations 65 tion inquiry to user 112 in response to an attempt by that user 

(i.e., woriistation API 214) and the authentication database to access the program's processes or data. When the authen- 

(i.e., the database API 206). Illustratively, both the database tication inquiry is received at the controller, the workstation 
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API 214 verifies that the user is a valid network client (i.e., 
has successively logged -on and has been authenticated to the 
NDS) by requesting the proper application secret for pro- 
gram 236. In response to this latter request, the database API 
206 accesses the authentication database 204 and provides 
an encrypted application secret along with the private key 
for decrypting the secret. The workstation API then decrypts 
and forwards the proper application secret (and user 
identity) to the particular application program. 

FIGS. 4A and 4B are a flow chart of the function 
performed by workstation API 214 in response to the 
authentication request generated by a particular program. As 
noted, when a user 201 attempts to access a particular 
application program, such as a local application 240 or 
network-based apphcation program 236, the particular 
application program requires that the user be authenticated 
prior to accessing its processes or data. The function begins 
at block 400 and proceeds to block 402 where workstation 
API 214 receives this authentication inquiry from the appli- 
cation program. Upon receipt, the workstation API 214 
determines whether the user is a valid network client at 
block 404. If the user is not a valid network client, work- 
station API 214 denies the user access to the distributed 
authentication service at block 406. However, if the user is 
a vahd network client, then the workstation API 214 requests 
the proper appUcation secret for the particular application 
program at block 410. For example, the workstation API 214 
calls a "Retrieve Application Secret" API for retrieving the 
user's identity and proper application secrets. Workstation 
API 214 provides the application identifier of the particular 
application as part of the API call. The request to the 
database API 206 is preferably encoded in a network pro- 
tocol element in a matter that is well-known in the art. The 
database API 206, in a matter described below with refer- 
ence to FIG. 5, returns encrypted data and a keychain private 
key to the workstation API 214. At block 414, the worksta- 
tion API 214 receives the encrypted data and keychain 
private key. 

At block 418, the workstation API 214 determines 
whether it successfully received the encrypted data and a 
public key from the database API 206. If not, access to the 
distributed authentication service 201 is denied at block 420. 
If the information is successfully received, the workstation 
API 214 uses the keychain private key to decrypt the data on 
the workstation 210 at block 422. After decrypting the data, 
workstation API 214 returns the resulting user identity and 
application secret to the particular application program for it 
to perform its authentication in block 424. The function then 
ends at block 426. 

FIG. 5 is a flowchart of the function performed by the 
database API of the exchange controller in response to a 
workstation API's request for an application secret. The 
function begins at block 500 and proceeds to block 502 
where the request is received at the database API 206. At 
block 504, the database API 206 attempts to locate the 
application object for the application ID received from the 
workstation in its request. If the application object cannot be 
found, the database API 206 returns a service failure indi- 
cation to the workstation API 214 at block 506. If the 
application object is found, the database API 206 attempts to 
locate the user's keychain that contains the application 
secret for the user at block 508. If there are no keychains or 
if no such application secret is located in the user's 
keychain, a failure indication is returned to the workstation 
API at block 510. Otherwise, at block 512, the encrypted 
application secret and the keychain private key are returned 
to the workstation API 214. 
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Once the user keychain is located, the database API 206 
retrieves the encrypted application secret, encrypted user 
identity, and keychain private key from the authentication 
database 204 and, at block 514, the database API 206 returns 

5 this information to the workstation API. The function then 
ends at block 516. As noted, at the time of installation the 
application secret is encrypted by using the keychain private 
key. Thus, the exchange controller 207 insures secure trans- 
fer of the application secret and keychain private key from 
the database API 206 to the workstation API 214. 

The present invention supports intra-node as well as 
inter-node, server-to-server communications. For example, 
appUcation 228 or service 230 on server 202c may attempt 
to access applications 236 or services 234 on server node 

J 5 202/?. Under such circumstances, the above process is per- 
formed by server API 216 rather than workstation API 214. 
As one slcilled in the art would find apparent, inter-server 
authentication exchanges may also be performed by the 
distributed authentication service. Due to the internal com- 

20 munications of such an authentication exchange security is 
not an issue. Therefore, either API may decrypt the appli- 
cation secret. 

Furthermore, the terms and expressions which have been 
employed are used as terms of description and not of 

25 hmitation, and there is no intention, in the use of such terms 
and expressions, of excluding any equivalents of the features 
shown and described or portions thereof, but it is recognized 
that various modifications are possible within the scope of 
the invention claimed. 

30 What is claimed is: 

1. A distri"buted authentication system for automating an 
authentication exchange between a user and one or more 
application programs in a distributed network system, the 
system comprising: 

35 an authentication database containing a keychain of 
encrypted application secrets associated with the user, 
each application secret associated with a particular one 
of the application programs, said particular application 
program generating an authentication inquiry request- 

40 ing an application secret associated with the user and 
said particular application program, wherein said appli- 
cation secret includes said requested application secret; 
and 

an exchange controller, coupled to said authentication 
45 database, configured to perform said automated authen- 
tication exchange without user intervention by retriev- 
ing said requested application secret from said authen- 
tication database, decrypting said requested application 
secret, and providing said decrypted requested appli- 
50 cation secret to said particular application program in 
response to said authentication inquiry. 

2. The system of claim 1, wherein said requested apph- 
cation secret is encrypted with a public key of a public/ 
private key pair, and further wherein said exchange control- 

55 ler decrypts said requested apphcation secret with a private 
key of said public/private key pair. 

3. The system of claim 1, wherein said authentication 
database resides in a network directory services (NDS) 
portion of the distributed network system. 

60 4. The system of claim 1, wherein said particular appli- 
cation program is accessi'ble by a plurality of users, said at 
least one application secret stored in said authentication 
database including appUcation secrets associated with each 
of said plurality of users and said particular appUcation 

65 secret, 

5. TTie system of claim 1, wherein said user accesses the 
distributed network system at a user interface of a 
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workstation, and wherein said particular application pro- 
gram resides on said workstation. 

6. The system of claim 3, wherein said distributed net- 
work system further comprises a plurality of user 
workstations, and wherein said exchange controller is dis- 5 
tributed among said plurality of user workstations and said 
NDS. 

7. The system of claim 1, wherein the network system 
comprises at least one workstation, said user accessing the 
network through a user interface at said at least one 
workstation, wherein said exchange controller comprises: 

a workstation application program interface (API), resid- 
ing on said at least one workstation, configm"6d to 
perform an authentication exchange with said particu- 
lar application program on behalf of the user; and 

a database API, responsive to said workstation API, 
configured to retrieve from said authentication database 
said requested application secret, 

wherein said workstation API uses said requested appli- 
cation secret to authenticate the user with said particu- 
lar application program. 

8. The system of claim 7, wherein said authentication 
database and said database API reside in a network directory 
services (NDS) portion of the distributed network system. 

9. The system of claim 8, wherein one or more of said at 
least one application secret is associated with a keychain, 
each said at least one application secret associated with each 
said at least one keychain is encrypted with a public key of 
a public/private key pair, wherein said encrypted requested 
application is provided to said workstation API. 3^ 

10. The system of claim 9, wherein said workstation API 
is configured to decrypt said encrypted application secret 
and to provide said decrypted application secret to said 
particular application program. 

11. A distributed authentication service for eflSciently 
authenticating users at any of a plurality of workstations 
with one or more application programs residing on server 
nodes of a distributed network system, the service compris- 
ing: 

an authentication database, residing in a network direc- 
tory service (NDS) of the network system, comprising 
one or more keychains accessible by one or more of 
said users, each keychain comprising at least one 
encrypted application secret, each application secret 
associated with each accessible user and with one of the 45 
application programs, and further wherein each appli- 
cation secret contained within each keychain is 
encrypted with a public key of a public/private key pair 
assigned to each keychain, 

a workstation application program interface (API), resid- 50 
ing on the plurality of workstations, configured to 
perform an authentication exchange on behalf of, and 
without intervention of, a user with a particular one of 
the application programs; and 

a database API, residing on said NDS and responsive to 55 
said workstation API, configured to retrieve from said 
authentication database an application secret associated 
with the user, said retrieved application secret authen- 
ticating the user with said particular application 
program, 60 

wherein said workstation API decrypts said encrypted 
application secret and provides said decrypted applica- 
tion secret to said particular application program. 

12. The system of claim 11, wherein the distributed 
network system further comprises a network directory ser- 65 
vice (NDS), and wherein said authentication database and 
said database API reside in said NDS. 



13. The system of claim 11, wherein said workstation API 
denies said user access to said particular program when said 
user is not a valid network client. 

14. A method for automating an authentication exchange 
between a user at a user workstation and an appUcation 
program of a distributed network system by an authentica- 
tion service, the method comprising the steps of: 

(a) receiving at an exchange controller an authentication 
inquiry generated by the application program; 

(b) receiving, without user intervention, an encrypted 
application secret associated with the user and said 
application program from a keychain of encrypted 
application secrets associated with the user, each appli- 
cation secret in said keychain being associated with at 
least one particular application program, said keychain 
being stored in a distributed authentication database 
coupled to said exchange controller; and 

(c) decrypting said encrypted associated application 
secret retrieved from the keychain and providing the 
application program with said decrypted associated 
application secret retrieved from the keychain. 

15. The method of claim 14, further comprising the steps 

of: 

(d) prior to said step (b), verifying that the user is a valid 
network client; and 

(e) denying said user access to the authentication service 
when said user is not a valid network client. 

16. The method of claim 14, wherein: 

said encrypted application secret associated with said user 
and said application program is encrypted with a public 
key of a public key/private key stored in said authen- 
tication database. 

17. The method of claim 14, wherein said exchange 
controller comprises a workstation application program 
interface (API) residing on the user workstation, and a 
database API residing in a network directory service with 
said authentication data-base, said workstation API receiv- 
ing said authentication inquiry from the application 
program, wherein said steps (b) and (c) together comprise 
the steps of: 

(1) transferring a request for said encrypted application 
secret associated with said user and said application 
program from said workstation API to said database 
API; 

(2) retrieving from said authentication database, by said 
database API, said encrypted application secret associ- 
ated with said user and said application program; 

(3) transferring from said database API to said worksta- 
tion API, said encrypted application secret associated 
with said user and said application program; 

(4) denying access to the distributed authentication ser- 
vice by said workstation API when said encrypted 
application secret associated with said user and said 
application program is not received; and 

(5) decrypting said encrypted application secret associ- 
ated with the user and the application program and 
returning said decrypted associated application secret 
to the application program by said workstation API 
when said encrypted application secret associated with 
said user and said application program is received. 

18. The method of claim 17, wherein said encrypted 
application secret stored in said authentication database is 
encrypted with a public key of a public/private key stored in 
said authentication database, and wherein said method also 
comprises the steps of: 
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(6) after said slep (1), retrieving from said authentication 
database, by said database API, a private key of said 
public/private key; 

(7) after said step (1), transferring said private key from 
said database API to said workstation API; ^ 

(8) decrypting, at said workstation API, said encrypted 
application secret with said private key; and 

(9) forwarding said decrypted application secret to said 
particular application program. 
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19. The system of claim 14, wherein said user accesses the 
distributed network system at a user interface of a 
workstation, and wherein said application program resides 
on said workstation. 

20. The system of claim 19, wherein said authentication 
database resides in a network directory services (NDS) 
portion of the distributed network system. 

« * < « « 
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